Coolify Docker Images Exposed: Outdated Alpine Packages with Known CVEs in Helper & Realtime Containers

A security audit of Coolify's Docker images has revealed that two critical components, `coolify-helper` and `coolify-realtime`, were being built with outdated and vulnerable Alpine Linux packages. Unlike the main production image, these containers were missing the standard `apk upgrade` command, leaving them exposed to known, exploitable security flaws at deployment time. This oversight created a direct vector for potential compromise within the Coolify deployment stack.

The `coolify-helper` image, based on Alpine 3.21 with OpenSSL 3.3.5, was vulnerable to CVE-2025-15467, a stack buffer overflow in CMS IV parsing. The `coolify-realtime` image, built on a soketi base with Alpine 3.18 and OpenSSL 3.1.2, was not affected by that specific CVE but contained other outdated OpenSSL packages with their own vulnerabilities, including CVE-2023-5363 and CVE-2024-6119. The fix, mirroring the existing production Dockerfile, adds `apk upgrade --no-cache` before package installation to apply all available Alpine security patches at build time.

This incident highlights a common but critical failure pattern in container security: inconsistent hardening practices across a suite of related images. For organizations deploying Coolify, it signals that their infrastructure may have been running containers with unpatched, public vulnerabilities. The fix closes these specific gaps, but the discovery prompts broader scrutiny of build pipeline consistency and the security posture of all ancillary services in modern DevOps toolchains.